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04 ! Simon in his FOCS'94 paper was the first to show an 

exponential gap between classical and quantum com- 
putation. The problem he dealt with is now part of a 
well-studied class of problems, the hidden subgroup 
| problems. We study Simon's problem from the point 

■ of view of quantum query complexity and give here 

a first nontrivial lower bound on the query complex- 
ity of a hidden subgroup problem, namely Simon's 

■ problem. Our bound is optimal up to a constant 
. factor. 

53 ■ 1 Introduction 

Given an Abelian group G and a subgroup H < G, a function / : G — ► X is said to be 
hiding H if / can be defined in a one-to-one way on G/H. More precisely, / hides H if 
^ ' and only if 

V 5 ,</eG (/(<?) = /(</) 3h£Hg = g' + h) 

Suppose G is a fixed group and / is computed by an oracle: a quantum black-box. We 
are interested here in algorithms that find the hidden subgroup H. A large amount of 
documentation about the hidden subgroup problem can be found in the book of Nielsen 
and Chuang [Jj 1 . Among all work already done about such algorithms one can cite Shor's 
famous factoring algorithm it uses a period- finding algorithm, which is a special case 
of a hidden subgroup problem. In recent years, attention has shifted to non- Abelian hidden 
subgroup problems but we will restrict our attention here to Abelian groups, and in fact 
to the family of groups (Z/2Z) n . 

In general, two kinds of complexity measures for black-box problems can be distin- 
guished: query complexity, i.e., the number of times the function / is evaluated using the 
black-box, and computational or time complexity, i.e., the number of elementary opera- 
tions needed to solve the problem. Typically, a hidden subgroup algorithm is considered 

1 History of the problem on page 246 and expression of many problems (order-finding, dicrete loga- 
rithm...) in terms of hidden subgroup problems on page 241. 
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efficient if its complexity (in query or in time, depending on the interest) is polynomial 
in the logarithm of the cardinality of G. For example, Kuperberg's algorithm j^] for the 
(non-Abelian) dihedral hidden subgroup problem is subexponential (but superpolynomial) 
in both time and query complexities. We give here a first nontrivial lower bound on the 
query complexity of a hidden subgroup problem, namely, Simon's problem. 

This problem is defined as follows: we are given a function / from G = (Z/2Z) n to a 
known set X of size 2 n , and we are guaranteed that the function fulfills Simon's promises, 
that is either: 

(1) / is one-to-one, or 

(2) 3s^0Vw,w' f{w) = f(w') <^ ( w = w'\/w = w' + s). 

The problem is to decide whether (1) or (2) holds. Note that (1) is equivalent to "/ 
hides the trivial subgroup H = {(0, . . . ,0)}" and (2) is equivalent to "/ hides a subgroup 
H = {(0, . . . , 0), s} of order 2". The original problem was to compute s and the 
problem considered here is the associated decision problem. Of course, any lower bound 
on this problem will imply the same one on Simon's original problem. In his article, Simon 
shows that his problem can be solved by a quantum algorithm which makes 0(n) queries 
in the worst case and has a bounded probability of error. The time complexity of his 
algorithm is linear in the time required to solve an n x n system of linear equations over 
(Z/2Z) n . He also shows that any classical (probabilistic) algorithm for his problem must 
have exponential query complexity. In this paper we shall give a S7(n) lower bound on 
the query complexity of Simon's problem, thus showing that Simon's algorithm is optimal 
in this respect. As a side remark, note that Simon also gives a Las Vegas version of his 
algorithm with expected query complexity 0{n). Even better, Brassard and H0yer [2] 
have given an "exact polynomial time" quantum algorithm for Simon's problem (i.e., their 
algorithm has a polynomial worst case running time and zero probability of error). 

The two main methods for proving query complexity lower bounds in quantum com- 
puting are the adversary method of Ambainis and the polynomial method (for an excellent 
review of these methods in French, read ^Oj)- We shall use the polynomial method, which 
was introduced in quantum complexity theory in There are recent interesting applica- 
tions of this method to the collision and element distinctness problem pflE]. All previous 
applications of the polynomial method ultimately rely on approximation theory lemmas 
of Paturi [H| or Nisan and Szegedy jSJ. Besides the application to a new type of prob- 
lems (namely, the hidden subgroup problems) we also contribute to the development of 
the method by applying it in a situation where these lemmas are not applicable. Instead, 
we use an apparently new (and elementary) approximation theory result: Lemma 03 from 
section C3 

In future work we plan to apply the polynomial method to other hidden subgroup 
problems. For a start, it seems that the groups (Z/pZ) n where p is a fixed prime can be 
handled in essentially the same way. 

2 Preliminaries 

We assume here that the reader is familiar with the basic notions of quantum computing 
@] and we now present the polynomial method. Let A be a quantum algorithm solving 
Simon's decision problem. Without loss of generality, we can suppose that for every n the 
algorithm A acts like a succession of operations 

U ,O,U 1 ,O,...,O,U T{n) ,M 
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on a m-qubit, for some m > 2n, starting from state |0) . The Ui are unitary opera- 
tions and O is the call to the black-box function: if x and y are elements of {0, 1}™ then 
O \x, y, z) = \x, y © /(x), z). The operation M is the measure of the last qubit. There are 
some states of (m — l)-qubits \(fto(f, n )) and \4>i(f,n)} (of norm possibly less than 1) such 
that 

Ut^OUt^O ...OUo |O) 0m = |0o(n, /)} © |0> + |0i(n, /)) <g> |1) . 

After the measure M, the result is (reject) with probability ||(/>o(n, /)|| 2 and 1 (accept) 
with probability | \4>i(n, f)\ | 2 . The algorithm A is said to solve Simon's problem with 
bounded error probability e if it accepts any bijection with probability at least 1 — e and 
rejects every other function fullfilling Simon's promise with probability at least 1 — e. By 
definition, the query complexity of A is the function T. Here is our main result. 

Theorem 1 If A is an algorithm which solves Simon's problem with bounded error proba- 
bility e and query complexity T , then we have T(n) > w+2+1 °| 2 ^ 2 for every large enough 
integer n. 

As explained in the introduction, our proof of this theorem is based on the polynomial 
method. Lemma Q below is the key observation on which this method relies. We state it 
using the formalism of ^Q: if s is a partial function from (Z/2Z) n to E and / a function 
from (Z/2Z) n to E, |dom(s)| denotes the size of the domain of s. Moreover, we define: 

, ,v _ f 1 if / extends s 
\ otherwise. 

Lemma 1 If A is an algorithm of query complexity T, there is a set S of partial 
functions from (Z/2Z) n — ► E such that for all functions f : (Z/2Z) n — > E, A accepts f 
with probability 

where for every s £ S we have \dom(s)\ < 2T(n) and a s is a real number. 

The goal is now to transform P n (f) into a low-degree polynomial of a single real variable. 
This is achieved in Proposition Q We can then prove and apply our lower bound result on 
real polynomials (Lemma E]). 

3 Main proof 

An algorithm for Simon's problem is only supposed to distinguish between the trivial 
subgroup and a hidden subgroup of cardinality 2. To establish our lower bound, we will 
nonetheless need to examine its behavior on a black-box hiding a subgroup of arbitrary 
order (a similar trick is used in and |B]). Note that this "generalized Simon problem" 
(finding an arbitrary hidden subgroup of (Z/2Z) n ) can still be solved in 0(n) queries and 
bounded probability of error by essentially the same algorithm, see for instance 0. 

From now on we suppose that A is an algorithm solving Simon's problem with bounded 
error probability e < \ and query complexity T. Moreover, P n {f ) = a sls(f) as given 

by lemma 1. 

For < d < n and D = 2 d 1 let Q n (D) be the probability that A accepts / when / is 
chosen uniformly at random among the functions from (Z/2Z) n to E hiding a subgroup of 
(Z/2Z) n of order D. Of course, Q n (D) is only defined for some integer values of D and 
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it can be extended in many different ways. By abuse of language we will say that Q n is a 
polynomial of degree d if it can be interpolated by a polynomial of degree d. 

The point of this definition is that we have a bound on some values of Q n , and a gap 
between two of them. Namely, we have: 

1. for any integer d € [0;n], < Q n (2 d ) < 1 (this number is a probability), and 

2. Qn(l) > 1 - e and Q n (2) < e, hence \Q' n ( x o)\ > 1 - 2e > for some x € [1; 2]. 

If we denote by Xjj the set of functions hiding a subgroup of order D, by Lemma ^ we 
have Q n (D)= £ f ^ £ /,(/)). Hence 

Q n (£>) = J> a Q'(Z>), (1) 

where Q s n (D) is the probability that a random function / hiding a subgroup of order D 
extends s. We now prove that Q n is a low-degree polynomial. By (£Q), it suffices to bound 
the degree of Q s n . Let us start by counting subgroups: 

Lemma 2 Let n and k be nonnegative integers. 

The group (Z/2Z) n has exactly (3(n,k) = Y[ 2 fc -'-i distinct subgroups of order 2 k . 

0<i<k 

Proof 

We look at (Z/2Z) n as a vector space over the field Z/2Z: from this point of view the 
subgroups are the subspaces. We start by counting the number of free fc-tuples of vectors. 
For the first Vq, we can choose anything but 0, so there are 2 n — 1 choices. For the second 
vector v\ we can choose anything but and vq; 2 n — 2 possibilities remain. For the third 
vector, any linear combinaison of vq and v\ is forbidden: there are 4 of them. In general, the 
number of free fc-tuples of vectors is a(n, k) = (2 n — 2 J ) . Each subspace of dimension 

0<i<fc 

k can be generated by a(k, k) different fe-tuples, so the total number of subspaces of 
dimension k is = IT 2^-^-1 • N°te that this formula is correct even if k > n, in 

' 0<i<k 

which case a(n, k) = 0. □ 

Proposition 1 The polynomial Q n is of degree at most 2T(n). 

Proof 

By jU, it suffices to show that for all partial functions s : (Z/2Z) n — ► E such that 
|dom(s)| < 2T(n), the probability Q s n (D) that a random function / hiding a subgroup 
of order D extends s is a polynomial in D of degree at most 2T(n). So, let s be such a 
partial function. We will proceed in three steps: we first examine the case where s is a 
constant function, then the case where s is injective and finally the general case. 

Let us therefore suppose that s is constant and note dom(s) = {ai/i = 1 . . . k}, with 
k < 2T(n), the a^s being of course all different. A function / hiding a subgroup H extends 
s if and only if {oj — a±/i = 1 . . . k} C H and f{a\) = s(a\). So Q s n (D) = Q s i(D) where 
s'(x) = s(x — ai). We will thus suppose without loss of generality that a\ = 0. Since E, the 
possible range for /, is of size 2", we have Q s n {D) = where A is the proportion, among 
the subgroups of order D, of those containing dom(s). Let H' be the subgroup generated 
by dom(s), and D' = 2 d its order, d' being the dimension of H' as a vector space. The 
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number of subgroups of order D containing H' is equal to the number of subgroups of 
order of (Z/2Z) n /H', which is isomorphic to (Z/2Z) n ~ d ; so there are (3(n — dl ,d — d!) 



of them. We then have Q s n {D) 



1 p{n-d' ,d-d!) 
2™ P(n,d) 



n 



2 n 1 1 2 ri ~ 
0<i<d' 



V, which is a polynomial 



in -D of degree d' < |dom(s)| < 2T(n). 

Let us now suppose that s is injective. We still note in the same way dom(s) = 
{di/i = 1 . . . k}. A function / hiding a subgroup H extends s if and only if the a^s lie in 
distinct cosets of H and / takes appropriate values on these cosets; so Q s n {D) = u\, where 
A is the probability for a subgroup H of order D to contain none of the en — a,j(i ^ j) and 
v is the probability to extend s for a function h hiding a subgroup H of order D that does 
not contain any of the a, — a,j(i ^ j). First we compute v. For each subgroup H of order 
D that does not contain any of the aj — aj(i ^ j) there are (2 n )(2 n — 1) . . . (2 n — n/D + 1) 
possible functions /: choose a different value for each coset of H. Among these functions, 
the number of them extending s is (2™ — k)(2 n — k — 1) . . . (2 n — n/D + 1): choose a value 



for each coset not containing any a^. So v 



(2"-fc)! 
(2™)! 



The probability A is equal to 1 — u, 



where \x is the probability for a subgroup H of order D to contain some a, — dj for some 
i + 3- 

By the inclusion-exclusion formula, we can expand A as follows: 

— Yl — a ji £ -ff A aj 2 — aj 2 e H) 

h + h 
h h 
{h;ji} ¥= {»2; 32} 



A = 1 



+ 



+ 



EH) 



Our study of the first case above shows that each term in this sum is a polynomial in 
D of degree less than df, where the order of the subgroup generated by the ai — aj's is 2 d . 
Since a. L — a,j is always in the subgroup generated by dom(s), d! < |dom(s)| < 2T(n). 

Finally, in the general case the partial function s is defined by conditions of the form 



s(a\) 
s(al) 



s(al) 
s{a 2 2 ) 



s(a[) = s(4) 



s(a 



s(ai 



<) 
2 ^ 



b 2 



with bi, ... ,bi all different. In the same way as before, we will suppose without loss of 
generality that a\ = 0. Furthermore, since f(aj) = f{a\) is equivalent to f(a\ — a\) = /(0) 
(i.e. a\ and a\ are in the same coset of H) we can remove each a\, for i,j > 1 from dom(s) 
and replace them by adding the point a\ — a\ to dom(s) associated to the value b\. The 
size of dom(s) does not increase. It may happen that s was already defined on one of 
these entries and that our new definition is contradictory. In that case there is simply no 
subgroup-hiding function / extending s, so Q s n is simply the null polynomial and we are 
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done. We will therefore consider only conditions of the form: 

( s(0) = s(a 1 2 ) = --- = s(a 1 ki ) = b 1 
s(a 2 ) = b 2 

< 

s(a l ) = h 

The probability Q s n (D) that a function / hiding a subgroup of dimension D extends s is the 
probability Q\ that / satisfies /(0) = f{a\) = • • • = f{a\ ) = b\ times the probabilty Q2 
that / extends s given that /(0) = f{a\) = • • • = /(o^ ) = b\. We have already computed 
the first probability: this is the case where s is constant. Let H' be the subgroup generated 
by the aj's and D' = 2 d its order; then Q\ = §n=sEi* Let us define s' on G/H' 

0<i<d' 

as the quotient of s if it exists (if not, this means again that Q s n is the null polynomial, 
and we are done). If / satisfies /(0) = f{a\) = ■ ■ ■ = f(aj e ) = b\ then we can define /' on 
G/H' as the quotient of /; the condition "/ extends s and hides a subgroup of order D" is 
equivalent to "/' extends s' and hides a subgroup of order D/D'". Since s' is defined by the 
condition s'(H') = b\, s'{a 2 + H') = b%, . . . , s'(a l + H 1 ) = bi and is injective, our study of the 
second case shows that Q2 = Q S '(D/D') is a polynomial in D of degree less than |dom(s')|. 
Hence, Q s n {D) is a polynomial in D of degree at most d! + |dom(s')| < |dom(s)| < 2T. 

□ 

Now that we have an upper bound on the degree of Q, let us find a lower bound. The 
following analogue of the lemmas of Paturi [H] and Nisan-Szegedy [E] will help. 

Lemma 3 Let c > be a constant and P a polynomial with the following properties: 

1. For any integer < i < n we have |P(2*)| < 1. 

2. For some real number 1 < xq < 2 we have |P'(xo)| > c. 

Then deg(P) = Q (n), and more precisely: deg(P) > min(^, n+2 ^ log2 c ). 
Proof 

d-l 

Let d be the degree of P, and let us write P'(X) = A n (X — a^), where the cVs are real or 

i=l 

complex numbers. The polynomials P' and P" are respectively of degree d— 1 and d — 2, so 
there exists an integer a G [n — 2d + 2; n — 1] such that P" has no real root in (2 a ; 2 a+1 ), 
and P' has no root whose real part is in this same interval. If d > n/2 there is nothing to 
prove, so we may and we will assume that d < §. This implies in particular that 2 a > 4. 

The polynomial P' is monotone on (2 a ;2 a+1 ), for P" has no root in it. This means 
that P is either convex or concave on this interval, so that the graph of P is either over 
or under its tangent at the middle point of the interval, which is equal to — = |2 a . 
Suppose that P' (|2 a ) is nonnegative (the case when it is negative is similar). Then P 
is increasing on (2 a ;2 a+1 ), since P' has no root in this interval. Let y = t(x) be the 
equation of the tangent of P at |2 a . If t (2 a+1 ) > 1, then P (2 a+1 ) < t (2 a+1 ), so P is 
concave on (2 a ;2 a+1 ), hence -1 < P (2 a ) < t (2 a ). But, since P is monotone on (2 a ;2 a+1 ), 
t (§2 a ) = P (|2 a ) < 1. Since t(2 a+l )-t (§2 a ) = t (p a ) -t(2 a ), it follows that t (2 a+1 ) <3 
and t (2 a+1 ) —t (2 a ) < 4. The same inequality can also be derived if we assume t (2 a ) < —1, 
and it is of course still true if t(2 a ) > —1 and t (2 a+1 ) < 1. We conclude that that the 
inequality t (2 a+1 ) - t (2 a ) < 4 always holds, which implies that < P' (|2 a ) < If 
we now include the case where P' is negative, we obtain the inequality 

P' (-2°\ <At. 
\2 ) ~ 2 a ~ 2 
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We therefore have 



pi ( 3o« 



2 a ) 



P'(xq) 



< 



c2 



a-2 



< 



1 



c2 



n-2d ' 



(2) 



To conclude we need to state a simple geometric fact. Let MBC be a triangle, M' the 
orthogonal projection of M onto (BC), and (d) the perpendicular bissector of [BC]. Let 
us suppose that M is "at the right of (d)", i.e. MC < MB. 




C 



Since C is closer to the line (MM') than B, tan a = MM'/BM' < tan/3 = MM' /CM'. 
Hence a< (3, and cos a > cos/3, i.e.: 



MC M'C 
M5 - M'B' 



(3) 



Let / : 



MM 



X 



function shows that for al 



\2 a -x 



X()—X 

X 



Since x < 2 a < |2 a < 2 a+1 , a quick study of this 



eR\(Wu(2»;2"+ 1 )), f{x) > min(l,/(2 a ),/(2°+ 1 )) > i 



We will distinguish two cases for each i G {1; . . . ; d — 1}. 



1. If 3?(Qi) < | (|2 a + x ) , then 



x — on 



> 1. 



2. If Sft(aj) > i (|2 a + x ) , let us apply © to the points M = a i} M = 5R(aj), B = x 
3. 

2" 



and C = |2 a . We obtain the inequality 



|2 a - on 



x - a>i 



> 



3 oa 
2 Z 



x - 9ffc(aj) 



Remember though that no root of P' has its real part in (2 a ; 2 a+1 ) , so that 



2 a - ai 



> 
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We conclude that 



> | in both cases. Taking J2J into account, we finally obtain 
the inequality -~hr < c2 n-2d , hence d > n+2+ ^2 c _ 

□ 

We can now complete the proof of Theorem Q Let A be our algorithm solving Simon's 
problem with bounded error probability e and query complexity T. As pointed out before 
Lemma[2l the associated polynomial Q n satisfies |Q^(xo)| > 1 — 2e for some e € [1,2] and 
Q n {2 % ) G [0,1] for any i € {0,1,..., n}. An application of Lemma 01 to the polynomial 
P = 2Q n — 1 therefore yields the inequality deg(Q n ) > min "-+ 2 + lo g2( 2 4e ) ^ Theorem^ 
follows since deg(Q n ) < 2T{n) by Proposition ^ 
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